[development] Think there's a security problem in your module? Here's what to do.

Angela Byron drupal-devel at webchick.net
Fri Jan 18 20:14:38 UTC 2008

Greg Knaddison - GVS wrote:
>> 5. Once a consensus is reached, commit it to your module on
>> cvs.security.drupal.org. Run through your normal testing procedures and
>> make sure things look good.
> I don't see how this adds much more value over:
> wget http://example.com/path_to_patch
> patch -p0 < security_patch_revision_3.patch
> But, if you and dww both really like this and want to work on it I
> certainly won't stand in the way.  It seems lower value to me but I am
> not in charge of your schedules.

I'm definitely not married to it... This was just an attempt to address 
the criticism that it's hard to test *exactly* what the end users would 
be downloading once the security release is created. But you're right 
that patch -p0 certainly does the trick. :)

Removing this step would eliminate one sync script that needs to be 
written, the overhead required for management of a separate CVS 
repository, and doesn't detract at all from the benefits of an open 
dialog with developer participation in fixing the actual issue itself.

I'm +1 to its removal, but defer to dww since he knows a lot better than 
me (or probably most of us ;)) what would be involved here, and how much 
work it would actually cost/save.


More information about the development mailing list